From 2958a406a90623e694788536a949a3404dfd0b5a Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Mon, 30 Oct 2017 22:16:27 +0000 Subject: [PATCH] rhel7stig: sshd.yml: Respect the STIG sshd configuration Appending sshd configuration options at the end of the file doesn't work as expected. If the same keyword is set multiple times, sshd will only respect the first occurence. As such, all the options that we add at the EOF will do nothing if any of them is already set in the file already. In order to make sure that all our options are respected, we need to add all of them at the beginning of the file. This can be easily demonstrated if we use the following keywords in an sshd config file assuming we have /etc/motd already. PrintMotd yes PrintMotd no $ ssh root@localhost Last login: Tue Oct 31 09:28:28 2017 from ::1 Have a lot of fun... But if we swap the options to PrintMotd no PrintMotd yes Last login: Tue Oct 31 09:29:55 2017 from ::1 Closes-Bug: #1728735 Change-Id: I02f2b9bc612d67ed7b23d853012d3b6374f65c9d --- tasks/rhel7stig/sshd.yml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 2098ccbb..b66ac1af 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -13,21 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Adding additional sshd configuration options is usually easy, but if a -# configuration file ends with certain configurations, like a "Match" stanza, -# we need a blank line to separate those configurations from the ones that -# are added by the security role. For that reason, we check for the existence -# of a marker line here and add a marker line to the file if it doesn't exist. - -- name: Find first 'Match' line in sshd_config (if it exists) - shell: "grep '^Match' /etc/ssh/sshd_config || echo 'EOF'" - register: sshd_match_check - changed_when: False - check_mode: no - tags: - - always - - sshd - - name: Copy login warning banner copy: content: "{{ security_login_banner_text }}" @@ -45,7 +30,7 @@ dest: /etc/ssh/sshd_config state: present marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" - insertbefore: "{{ sshd_match_check.stdout_lines[0] }}" + insertbefore: "BOF" validate: '/usr/sbin/sshd -T -f %s' block: "{{ lookup('template', 'sshd_config_block.j2') }}" notify: